Consulting Companies to Pay $11.3 Million for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract

ALBANY, NEW YORK – Guidehouse Inc., headquartered in McLean, Virginia, has paid $7,600,000, and Nan McKay and Associates (Nan McKay), headquartered in El Cajon, California, has paid $3,700,000, to resolve allegations that they violated the False Claims Act by failing to meet cybersecurity requirements in contracts intended to ensure a secure environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.

The announcement was made by United States Attorney Carla B. Freedman; Principal Deputy Assistant Attorney General Brian M. Boynton of the Department of Justice’s Civil Division; Acting Inspector General Richard K. Delmar of the Department of the Treasury’s Office of Inspector General (Treasury OIG); and New York State Comptroller Thomas P. DiNapoli.

In early 2021, Congress established the emergency rental assistance program (ERAP) to provide financial assistance to eligible low-income households to cover the costs of rent, rental arrears, utilities, and other housing-related expenses during the COVID-19 pandemic. Participating governments were required to establish programs to distribute the federal funding to eligible tenants and landlords. In New York, the Office of Temporary and Disability Assistance (OTDA) was the state agency responsible for administering New York’s ERAP. In May 2021, Guidehouse and OTDA entered a contract under which Guidehouse, as the prime contractor, assumed responsibility for the New York ERAP, including for the ERAP technology and services provided to New Yorkers. Nan McKay, in turn, served as Guidehouse’s subcontractor and was responsible for delivering and maintaining the ERAP technology product used in New York to fill out and submit online applications requesting rental assistance (ERAP Application).

Guidehouse and Nan McKay shared responsibility for ensuring that the ERAP Application underwent cybersecurity testing in its pre-production environment before it was launched to the public. As part of the settlements announced today, Guidehouse and Nan McKay admitted that neither satisfied their obligation to complete the required pre-production cybersecurity testing. The State’s ERAP went live on June 1, 2021. Twelve hours later, OTDA shut down the ERAP website after determining that certain applicants’ personally identifiable information (PII) had been compromised and portions were available on the internet. Guidehouse and Nan McKay acknowledged that had either of them conducted the contractually-required cybersecurity testing, the conditions that resulted in the Information Security Breach may have been detected and the incident prevented.

In addition, as part of its settlement, Guidehouse admitted that for a short time period in 2021, it used a third-party data cloud software program to store personally identifiable information without first obtaining OTDA’s permission, in violation of its contract.

United States Attorney Carla B. Freedman stated: “Contractors who receive federal funding must take their cybersecurity obligations seriously. We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”

Principal Deputy Assistant Attorney General Brian M. Boynton stated: “Federal funding frequently comes with cybersecurity obligations, and contractors and grantees must honor these commitments. The Department of Justice will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

Acting Inspector General Richard K. Delmar stated: “These vendors failed to meet their data integrity obligations in a program on which so many eligible citizens depend for rental security, which jeopardized the effectiveness of a vital part of the government’s pandemic recovery effort. Treasury OIG is grateful for DOJ’s support of its oversight work to accomplish this recovery.”

New York State Comptroller Thomas P. DiNapoli stated: “This settlement sends a strong message to New York State contractors that there will be consequences if they fail to safeguard the personal information entrusted to them or meet the terms of their contracts. Rental assistance has been vital to our economic recovery and the integrity of the program needs to be protected. I thank the United States Department of Justice, United States Attorney Freedman, and the United States Department of the Treasury Office of Inspector General for their partnership in exposing this breach and holding these vendors accountable.”

On October 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put sensitive information at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents. Information on how to report cyber fraud can be found here.

The United States’ investigation was prompted by a lawsuit filed under the whistleblower provisions of the False Claims Act, which permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds, and to receive a share of any recovery. The settlement agreements in this case provide for the whistleblower, Elevation 33, LLC, an entity owned by a former Guidehouse employee, to receive a $1,949,250 share of the settlement amounts. The case is captioned United States ex rel. Elevation 33, LLC v. Guidehouse Inc. et al., Case No. 1:22-cv-206 (N.D.N.Y.).

The investigation was a result of a coordinated effort between the United States Attorney’s Office for the Northern District of New York; the Justice Department’s Civil Division, Commercial Litigation Branch, Fraud Section; Treasury OIG; and the Office of the New York State Comptroller. The United States was represented by Assistant United States Attorney Adam J. Katz and Trial Attorney J. Jennifer Koh.